CRA says 900 Social Insurance Numbers taken in 'Heartbleed' exploit

The RCMP is investigating after the Social Insurance Numbers of approximately 900 taxpayers were taken from Canada Revenue Agency systems by someone exploiting the Heartbleed bug, the tax agency said in a statement on Monday.

"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," tax agency Commissioner Andrew Treusch said.

"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," he said.

Analysis shows that no other CRA infiltrations took place before or after this breach.

The tax agency first removed public access to its online services on April 8, after learning its systems were vulnerable to the Heartbleed bug.

Canadians can file their taxes online at the CRA's online services site, as well as access such online services as EFILE, NETFILE, My Account, My Business Account and Represent a Client.

The CRA website was just one of many that were affected by Heartbleed. On April 10, all federal government departments were ordered to disable public websites susceptible to the bug until all security updates had been put in place and tested.

On Monday, the CRA said it "worked around the clock" after the temporary shutdown to implement a "patch" for the bug and test all systems, before relaunching online services on Sunday.

Affected individuals

To ensure communications are secure and cannot be exploited through phishing schemes, the Canada Revenue Agency will not be calling or emailing individuals to inform them of the breach.

Instead, each affected individual will receive a registered letter informing them of the breach, and will also be provided with credit protection services at no cost.

The tax agency also assures those affected that additional protections will be applied to their CRA accounts.

The Privacy Commissioner of Canada was informed of the breach on Friday, a spokesperson confirmed.

“More broadly, we are closely monitoring the technical developments as they emerge so that we understand the potential privacy implications of Heartbleed,” Valerie Lawton, senior communications advisor with the Privacy Commissioner of Canada said in a statement.

During the temporary closure to the online services site, the tax agency informed Canadians they would be given an extension to file their taxes without interest or penalties.

Ontario's information and privacy commissioner was asked to comment on the Heartbleed bug during a press conference on Monday.

"This problem has impacted major companies and private sector organizations," Ann Cavoukian told reporters, adding that it wasn't just the Canadian government’s websites? impacted by the vulnerability.

"So many companies, large businesses have been impacted by this."

When pressed further to comment on whether the bug should have been flagged prior to last week, she was hesitant to assign blame.

“Should they have been aware of it? I will let you be the judge of that."

The Heartbleed bug was revealed early last week when it was discovered by a small team from Finnish security firm Codenomicon, while working independently from a Google Inc. researcher who also diagnosed the bug.

The flaw affects OpenSSL, one of the most widely used open-source software programs used to encrypt Internet communications. It’s used on approximately two-thirds of web servers.

The bug allows information in servers using OpenSSL to be viewed, meaning sensitive data can be exploited.

“The theft of personal data from federal government computing resources has been on the rise, and this mid-sized theft is a part of that trend,” Baumgartner said in an email to CTV News.

The stolen personal data is often traded with cybercriminals in exchange for virtual currency, making it difficult to track down the individuals responsible, he adds.

“Unfortunately, the interesting development is that we observe increased black market activity on [anonymous] hidden service servers, supported by Bitcoin transactions to maintain better anonymity and secrecy for the criminals trading in this data and these services.”